This article provides an overall review of the proposed European Union General Data Protection Regulation (GDPR), two years after its initial proposal by the European Commission. It places the GDPR in the context of the current Data Protection Directive that it will replace once adopted, and details provisions of the GDPR, including those that were amended by the LIBE Committee (just prior to the vote of changes in the European Parliament sitting in plenary): extraterritorial effect of the GDPR, conditions placed on consent to processing, right to be forgotten and right to erasure, level of administrative sanctions, sensitive data, cross-border data transfers, and requirements for privacy impact assessments and data protection officers. The heavy lobbying on this EU legislation is discussed, and the impact of the NSA PRISM revelations on the legislative process are analyzed.